To address the scalability challenge of large-scale hidden-service deanonymization in the I2P network, this paper proposes I2PERCEPTION—a passive, fine-grained behavioral alignment approach. It deploys a small number of floodfill routers to passively collect RouterInfo messages, accurately models router online/offline timing patterns, and performs real-time correlation matching against the operational schedules of target hidden services. Unlike prior methods, it requires neither active traffic injection nor full-network monitoring; instead, it combines lightweight active probing with RouterInfo temporal analysis to achieve high-precision attribution. Over an eight-month evaluation, I2PERCEPTION successfully deanonymized all controlled hidden services using only 15 floodfill nodes, demonstrating strong scalability and practicality. This work introduces, for the first time, a real-time behavioral alignment paradigm to I2P deanonymization, significantly reducing both resource overhead and deployment complexity.

I2P (Invisible Internet Project) is a popular anonymous communication network. While existing de-anonymization methods for I2P focus on identifying potential traffic patterns of target hidden services among extensive network traffic, they often fail to scale effectively across the large and diverse I2P network, which consists of numerous routers. In this paper, we introduce I2PERCEPTION a low-cost approach revealing the IP addresses of I2P hidden services. In I2PERCEPTION, attackers deploy floodfill routers to passively monitor I2P routers and collect their RouterInfo. We analyze the router information publication mechanism to accurately identify routers' join (i.e. on) and leave (i.e. off) behaviors, enabling fine-grained live behavior inference across the I2P network. Active probing is used to obtain the live behavior (i.e., on-off patterns) of a target hidden service hosted on one of the I2P routers. By correlating the live behaviors of the target hidden service and I2P routers over time, we narrow down the set of routers matching the hidden service's behavior, revealing the hidden service's true network identity for de-anonymization. Through the deployment of only 15 floodfill routers over the course of eight months, we validate the precision and effectiveness of our approach with extensive real-world experiments. Our results show that I2PERCEPTION successfully de-anonymizes all controlled hidden services.